Tier 1 — Baseline
Tier 1 is the floor every repo should clear on day one. It costs almost nothing and delivers the largest single jump in supply-chain integrity: known dependencies, known build inputs, and CI tokens scoped to what each job actually needs.
The patterns in this tier remove ambiguity. After Tier 1, every install reproduces the same dependency tree byte-for-byte, every CI run executes the same action source code, and every job has only the GitHub token scopes it actually needs.
Patterns
Section titled “Patterns”- Commit a lockfile — every package manager, frozen in CI
- SHA-pin every third-party GitHub Action — full 40-character commit SHAs, never tags or branches
- Pin the runner OS — versioned labels (
ubuntu-24.04), never floating aliases - Pin the language toolchain — tracked file per ecosystem, source of truth for the
setup-*action - Minimal workflow permissions —
permissions: { contents: read }as the default; widen per job only when needed
Cross-tier worked example
Section titled “Cross-tier worked example”Ozark-Security-Labs/deterministic-deps is the most compact public OSL repo that demonstrates the Tier 1 patterns in context. Each pattern’s “Real example” link points at the specific file in that repo (or another OSL repo where the pattern is shown more cleanly for a given ecosystem).
When you’re ready
Section titled “When you’re ready”When the patterns above are routine for you, move on to Tier 2 — Hardened to add active CI enforcement on top of Tier 1’s discipline.